Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Carbanak

Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. (Citation: Kaspersky Carbanak) (Citation: FireEye CARBANAK June 2017)
ID: S0030
Associated Software: Anunak
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 17 Aug 2023

Associated Software Descriptions

Name Description
Anunak (Citation: Fox-It Anunak Feb 2015) (Citation: FireEye CARBANAK June 2017)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

The Carbanak malware communicates to its command server using HTTP with an encrypted payload.(Citation: Kaspersky Carbanak)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.(Citation: FireEye CARBANAK June 2017)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Carbanak has a command to create a reverse shell.(Citation: FireEye CARBANAK June 2017)

Enterprise T1136 .001 Create Account: Local Account

Carbanak can create a Windows account.(Citation: FireEye CARBANAK June 2017)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Carbanak encodes the message body of HTTP traffic with Base64.(Citation: Kaspersky Carbanak)(Citation: FireEye CARBANAK June 2017)

Enterprise T1114 .001 Email Collection: Local Email Collection

Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.(Citation: FireEye CARBANAK June 2017)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.(Citation: Kaspersky Carbanak)(Citation: FireEye CARBANAK June 2017)

Enterprise T1070 .004 Indicator Removal: File Deletion

Carbanak has a command to delete files.(Citation: FireEye CARBANAK June 2017)

Enterprise T1056 .001 Input Capture: Keylogging

Carbanak logs key strokes for configured processes and sends them back to the C2 server.(Citation: Kaspersky Carbanak)(Citation: FireEye CARBANAK June 2017)

Enterprise T1055 .002 Process Injection: Portable Executable Injection

Carbanak downloads an executable and injects it directly into a new process.(Citation: FireEye CARBANAK June 2017)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions.(Citation: FireEye CARBANAK June 2017)

Groups That Use This Software

ID Name References
G0046 FIN7

(Citation: Mandiant FIN7 Apr 2022) (Citation: FireEye FIN7 Aug 2018) (Citation: DOJ FIN7 Aug 2018) (Citation: CrowdStrike Carbon Spider August 2021) (Citation: FireEye FIN7 March 2017) (Citation: IBM Ransomware Trends September 2020) (Citation: FBI Flash FIN7 USB)

G0008 Carbanak

(Citation: Kaspersky Carbanak)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.